@vacbo/opencode-anthropic-fix 0.0.44 → 0.1.1

package/src/circuit-breaker.ts

@@ -0,0 +1,235 @@
+export enum CircuitState {
+  CLOSED = "CLOSED",
+  OPEN = "OPEN",
+  HALF_OPEN = "HALF_OPEN",
+}
+
+export const BreakerState = CircuitState;
+
+export interface CircuitBreakerOptions {
+  clientId?: string;
+  failureThreshold?: number;
+  resetTimeoutMs?: number;
+}
+
+export interface CircuitBreakerConfig {
+  clientId?: string;
+  failureThreshold: number;
+  resetTimeoutMs: number;
+}
+
+export interface CircuitBreakerSuccess<T> {
+  success: true;
+  data: T;
+}
+
+export interface CircuitBreakerFailure {
+  success: false;
+  error: string;
+}
+
+export type CircuitBreakerResult<T> = CircuitBreakerSuccess<T> | CircuitBreakerFailure;
+
+const DEFAULT_FAILURE_THRESHOLD = 5;
+const DEFAULT_RESET_TIMEOUT_MS = 30_000;
+
+const pendingClientBreakers = new Map<string, CircuitBreaker>();
+
+function normalizeConfig(options: CircuitBreakerOptions = {}): CircuitBreakerConfig {
+  return {
+    clientId: options.clientId,
+    failureThreshold: Math.max(1, Math.trunc(options.failureThreshold ?? DEFAULT_FAILURE_THRESHOLD)),
+    resetTimeoutMs: Math.max(0, Math.trunc(options.resetTimeoutMs ?? DEFAULT_RESET_TIMEOUT_MS)),
+  };
+}
+
+function getErrorMessage(error: unknown): string {
+  if (error instanceof Error && error.message) {
+    return error.message;
+  }
+
+  if (typeof error === "string" && error) {
+    return error;
+  }
+
+  return "Unknown error";
+}
+
+function isPromiseLike<T>(value: T | Promise<T>): value is Promise<T> {
+  return typeof value === "object" && value !== null && "then" in value;
+}
+
+function releasePendingClientBreaker(clientId: string, breaker: CircuitBreaker): void {
+  queueMicrotask(() => {
+    if (pendingClientBreakers.get(clientId) === breaker) {
+      pendingClientBreakers.delete(clientId);
+    }
+  });
+}
+
+export class CircuitBreaker {
+  private readonly config: CircuitBreakerConfig;
+
+  private state = CircuitState.CLOSED;
+  private failureCount = 0;
+  private openedAt: number | null = null;
+  private resetTimer: ReturnType<typeof setTimeout> | null = null;
+
+  constructor(options: CircuitBreakerOptions = {}) {
+    this.config = normalizeConfig(options);
+  }
+
+  getState(): CircuitState {
+    return this.state;
+  }
+
+  getFailureCount(): number {
+    return this.failureCount;
+  }
+
+  getOpenedAt(): number | null {
+    return this.openedAt;
+  }
+
+  getConfig(): CircuitBreakerConfig {
+    return { ...this.config };
+  }
+
+  canExecute(): boolean {
+    return this.state !== CircuitState.OPEN;
+  }
+
+  recordSuccess(): void {
+    if (this.state === CircuitState.HALF_OPEN) {
+      this.transitionToClosed();
+      return;
+    }
+
+    if (this.state === CircuitState.CLOSED) {
+      this.failureCount = 0;
+    }
+  }
+
+  recordFailure(): void {
+    if (this.state === CircuitState.HALF_OPEN) {
+      this.transitionToOpen();
+      return;
+    }
+
+    if (this.state === CircuitState.OPEN) {
+      return;
+    }
+
+    this.failureCount += 1;
+
+    if (this.failureCount >= this.config.failureThreshold) {
+      this.transitionToOpen();
+    }
+  }
+
+  transitionToHalfOpen(): void {
+    this.clearResetTimer();
+    this.state = CircuitState.HALF_OPEN;
+    this.openedAt = null;
+    this.failureCount = 0;
+  }
+
+  execute<T>(
+    operation: () => T | Promise<T>,
+  ): CircuitBreakerResult<Awaited<T>> | Promise<CircuitBreakerResult<Awaited<T>>> {
+    if (!this.canExecute()) {
+      return {
+        success: false,
+        error: "Circuit breaker is OPEN",
+      };
+    }
+
+    try {
+      const result = operation();
+
+      if (isPromiseLike(result)) {
+        return result
+          .then((data) => {
+            this.recordSuccess();
+            return {
+              success: true,
+              data: data as Awaited<T>,
+            } satisfies CircuitBreakerSuccess<Awaited<T>>;
+          })
+          .catch((error: unknown) => {
+            this.recordFailure();
+            return {
+              success: false,
+              error: getErrorMessage(error),
+            } satisfies CircuitBreakerFailure;
+          });
+      }
+
+      this.recordSuccess();
+      return {
+        success: true,
+        data: result as Awaited<T>,
+      };
+    } catch (error) {
+      this.recordFailure();
+      return {
+        success: false,
+        error: getErrorMessage(error),
+      };
+    }
+  }
+
+  dispose(): void {
+    this.clearResetTimer();
+  }
+
+  private transitionToClosed(): void {
+    this.clearResetTimer();
+    this.state = CircuitState.CLOSED;
+    this.failureCount = 0;
+    this.openedAt = null;
+  }
+
+  private transitionToOpen(): void {
+    this.clearResetTimer();
+    this.state = CircuitState.OPEN;
+    this.openedAt = Date.now();
+    this.scheduleHalfOpenTransition();
+  }
+
+  private scheduleHalfOpenTransition(): void {
+    this.resetTimer = setTimeout(() => {
+      this.resetTimer = null;
+      if (this.state === CircuitState.OPEN) {
+        this.transitionToHalfOpen();
+      }
+    }, this.config.resetTimeoutMs);
+
+    this.resetTimer.unref?.();
+  }
+
+  private clearResetTimer(): void {
+    if (!this.resetTimer) {
+      return;
+    }
+
+    clearTimeout(this.resetTimer);
+    this.resetTimer = null;
+  }
+}
+
+export function createCircuitBreaker(options: CircuitBreakerOptions = {}): CircuitBreaker {
+  if (!options.clientId) {
+    return new CircuitBreaker(options);
+  }
+
+  const existingBreaker = pendingClientBreakers.get(options.clientId);
+  if (existingBreaker) {
+    return existingBreaker;
+  }
+
+  const breaker = new CircuitBreaker(options);
+  pendingClientBreakers.set(options.clientId, breaker);
+  releasePendingClientBreaker(options.clientId, breaker);
+  return breaker;
+}

package/src/cli.test.ts

@@ -0,0 +1 @@
+import "../cli.test.ts";

package/src/cli.ts

@@ -52,6 +52,7 @@
 import { AsyncLocalStorage } from "node:async_hooks";
 import { exec } from "node:child_process";
 import { pathToFileURL } from "node:url";
+import { findByIdentity, resolveIdentityFromOAuthExchange } from "./account-identity.js";
 import { CLIENT_ID, getConfigPath, loadConfig, saveConfig, VALID_STRATEGIES } from "./config.js";
 import { authorize, exchange, revoke } from "./oauth.js";
 import { createDefaultStats, getStoragePath, loadAccounts, saveAccounts } from "./storage.js";
@@ -129,7 +130,7 @@ function shortPath(p: string) {
  * @returns {string}
  */
 function stripAnsi(str: string) {
-  // eslint-disable-next-line no-control-regex
+  // eslint-disable-next-line no-control-regex -- ANSI escape sequences start with \x1b which is a control char
   return str.replace(new RegExp("\x1b\\[[0-9;]*m", "g"), "");
 }
 
@@ -165,6 +166,7 @@ function rpad(str: string, width: number) {
  * @param {{ refreshToken: string, access?: string, expires?: number }} account
  * @returns {Promise<string | null>}
  */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- mutable account shape shared across CLI/plugin; full typing deferred
 export async function refreshAccessToken(account: Record<string, any>) {
   try {
     const resp = await fetch("https://platform.claude.com/v1/oauth/token", {
@@ -178,6 +180,7 @@ export async function refreshAccessToken(account: Record<string, any>) {
       signal: AbortSignal.timeout(5000),
     });
     if (!resp.ok) return null;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- OAuth token response shape is external API contract
     const json: any = await resp.json();
     account.access = json.access_token;
     account.expires = Date.now() + json.expires_in * 1000;
@@ -216,6 +219,7 @@ export async function fetchUsage(accessToken: string) {
  * @param {{ refreshToken: string, access?: string, expires?: number, enabled: boolean }} account
  * @returns {Promise<{ usage: Record<string, any> | null, tokenRefreshed: boolean }>}
  */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- mutable account shape shared across CLI/plugin; full typing deferred
 export async function ensureTokenAndFetchUsage(account: Record<string, any>) {
   if (!account.enabled) return { usage: null, tokenRefreshed: false };
 
@@ -288,6 +292,7 @@ const USAGE_LABEL_WIDTH = 13;
  * @param {Record<string, any>} usage
  * @returns {string[]}
  */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- upstream Anthropic usage API response has unstable bucket shapes
 export function renderUsageLines(usage: Record<string, any>) {
   const lines = [];
   for (const { key, label } of QUOTA_BUCKETS) {
@@ -403,18 +408,26 @@ export async function cmdLogin() {
 
   // Load or create storage
   const storage = stored || { version: 1, accounts: [], activeIndex: 0 };
+  const identity = resolveIdentityFromOAuthExchange(credentials);
+
+  const existing =
+    findByIdentity(storage.accounts, identity) ||
+    storage.accounts.find((acc) => acc.refreshToken === credentials.refresh);
+  if (existing) {
+    const existingIdx = storage.accounts.indexOf(existing);
 
-  // Check for duplicate refresh token
-  const existingIdx = storage.accounts.findIndex((acc) => acc.refreshToken === credentials.refresh);
-  if (existingIdx >= 0) {
     // Update existing account
-    storage.accounts[existingIdx].access = credentials.access;
-    storage.accounts[existingIdx].expires = credentials.expires;
-    if (credentials.email) storage.accounts[existingIdx].email = credentials.email;
-    storage.accounts[existingIdx].enabled = true;
+    existing.refreshToken = credentials.refresh;
+    existing.access = credentials.access;
+    existing.expires = credentials.expires;
+    existing.token_updated_at = Date.now();
+    if (credentials.email) existing.email = credentials.email;
+    existing.identity = identity;
+    existing.source = existing.source ?? "oauth";
+    existing.enabled = true;
     await saveAccounts(storage);
 
-    const label = credentials.email || `Account ${existingIdx + 1}`;
+    const label = credentials.email || existing.email || `Account ${existingIdx + 1}`;
     log.success(`Updated existing account #${existingIdx + 1} (${label}).`);
     return 0;
   }
@@ -429,6 +442,7 @@ export async function cmdLogin() {
   storage.accounts.push({
     id: `${now}:${credentials.refresh.slice(0, 12)}`,
     email: credentials.email,
+    identity,
     refreshToken: credentials.refresh,
     access: credentials.access,
     expires: credentials.expires,
@@ -440,6 +454,7 @@ export async function cmdLogin() {
     consecutiveFailures: 0,
     lastFailureTime: null,
     stats: createDefaultStats(now),
+    source: "oauth",
   });
 
   // If this is the first account, it's already active at index 0
@@ -728,7 +743,11 @@ export async function cmdList() {
     }
   }
   if (anyRefreshed) {
-    await saveAccounts(stored).catch(() => {});
+    // Best-effort persistence — if saveAccounts fails, the CLI continues to render the
+    // status view with the in-memory refreshed tokens. The next command run will retry persisting.
+    await saveAccounts(stored).catch((err) => {
+      console.error("[opencode-anthropic-auth] failed to persist refreshed tokens:", err);
+    });
   }
 
   log.message(c.bold("Anthropic Multi-Account Status"));
@@ -1215,7 +1234,7 @@ export async function cmdStrategy(arg?: string) {
 
   const normalized = arg.toLowerCase().trim();
 
-  if (!VALID_STRATEGIES.includes(normalized as any)) {
+  if (!VALID_STRATEGIES.includes(normalized as (typeof VALID_STRATEGIES)[number])) {
     log.error(`Invalid strategy '${arg}'. Valid strategies: ${VALID_STRATEGIES.join(", ")}`);
     return 1;
   }
@@ -1625,10 +1644,10 @@ ${c.dim("Files:")}
 // Main entry point
 // ---------------------------------------------------------------------------
 
-/** @type {AsyncLocalStorage<{ log?: (...args: any[]) => void, error?: (...args: any[]) => void }>} */
+/** @type {AsyncLocalStorage<{ log?: (...args: unknown[]) => void, error?: (...args: unknown[]) => void }>} */
 type IoStore = {
-  log?: (...args: any[]) => void;
-  error?: (...args: any[]) => void;
+  log?: (...args: unknown[]) => void;
+  error?: (...args: unknown[]) => void;
 };
 const ioContext = new AsyncLocalStorage<IoStore>();
 
@@ -1662,10 +1681,10 @@ function uninstallConsoleRouter() {
 
 /**
  * Run with async-local IO capture without persistent global side effects.
- * @param {{ log?: (...args: any[]) => void, error?: (...args: any[]) => void }} io
+ * @param {{ log?: (...args: unknown[]) => void, error?: (...args: unknown[]) => void }} io
  * @param {() => Promise<number>} fn
  */
-async function runWithIoContext(io: Record<string, any>, fn: () => Promise<number>) {
+async function runWithIoContext(io: IoStore, fn: () => Promise<number>) {
   installConsoleRouter();
   try {
     return await ioContext.run(io, fn);
@@ -2013,13 +2032,13 @@ async function dispatch(argv: string[]) {
 /**
  * Parse argv and route to the appropriate command.
  * @param {string[]} argv - process.argv.slice(2)
- * @param {{ io?: { log?: (...args: any[]) => void, error?: (...args: any[]) => void } }} [options]
+ * @param {{ io?: { log?: (...args: unknown[]) => void, error?: (...args: unknown[]) => void } }} [options]
  * @returns {Promise<number>} exit code
  */
 export async function main(
   argv: string[],
   options: {
-    io?: { log?: (...args: any[]) => void; error?: (...args: any[]) => void };
+    io?: IoStore;
   } = {},
 ) {
   if (options.io) {

package/src/commands/router.ts

@@ -15,6 +15,26 @@ import { completeSlashOAuth, startSlashOAuth, type OAuthFlowDeps, type PendingOA
 
 export const ANTHROPIC_COMMAND_HANDLED = "__ANTHROPIC_COMMAND_HANDLED__";
 
+/**
+ * Maximum number of file-to-account pinning entries retained in memory.
+ * Bounded to prevent unbounded growth across long sessions that touch many
+ * Files API uploads. Eviction is FIFO: when the cap is hit, the oldest entry
+ * (Maps preserve insertion order) is dropped before inserting the new one.
+ */
+export const FILE_ACCOUNT_MAP_MAX_SIZE = 1000;
+
+/**
+ * Insert a fileId→accountIndex binding with FIFO eviction when the cap is reached.
+ * See {@link FILE_ACCOUNT_MAP_MAX_SIZE} for the rationale.
+ */
+export function capFileAccountMap(fileAccountMap: Map<string, number>, fileId: string, accountIndex: number): void {
+  if (fileAccountMap.size >= FILE_ACCOUNT_MAP_MAX_SIZE) {
+    const oldestKey = fileAccountMap.keys().next().value;
+    if (oldestKey !== undefined) fileAccountMap.delete(oldestKey);
+  }
+  fileAccountMap.set(fileId, accountIndex);
+}
+
 export interface CliResult {
   code: number;
   stdout: string;
@@ -38,7 +58,7 @@ export interface CommandDeps {
  * Remove ANSI color/control codes from output text.
  */
 export function stripAnsi(value: string): string {
-  // eslint-disable-next-line no-control-regex
+  // eslint-disable-next-line no-control-regex -- ANSI escape sequences start with \x1b which is a control char
   return value.replace(/\x1b\[[0-9;]*m/g, "");
 }
 
@@ -410,7 +430,7 @@ export async function handleAnthropicSlashCommand(
             data?: Array<{ id: string; filename: string; size: number; purpose: string }>;
           };
           const files = data.data || [];
-          for (const f of files) fileAccountMap.set(f.id, account.index);
+          for (const f of files) capFileAccountMap(fileAccountMap, f.id, account.index);
           if (files.length === 0) {
             await sendCommandMessage(input.sessionID, `▣ Anthropic Files [${label}]\n\nNo files uploaded.`);
             return;
@@ -441,7 +461,7 @@ export async function handleAnthropicSlashCommand(
               data?: Array<{ id: string; filename: string; size: number; purpose: string }>;
             };
             const files = data.data || [];
-            for (const f of files) fileAccountMap.set(f.id, acct.index);
+            for (const f of files) capFileAccountMap(fileAccountMap, f.id, acct.index);
             totalFiles += files.length;
             if (files.length === 0) {
               allLines.push(`[${label}] No files`);
@@ -517,7 +537,7 @@ export async function handleAnthropicSlashCommand(
         }
         const file = (await res.json()) as { id: string; filename: string; size?: number };
         const sizeKB = ((file.size || 0) / 1024).toFixed(1);
-        fileAccountMap.set(file.id, account.index);
+        capFileAccountMap(fileAccountMap, file.id, account.index);
         await sendCommandMessage(
           input.sessionID,
           `▣ Anthropic Files [${label}]\n\nUploaded: ${file.id}\n  Filename: ${file.filename}\n  Size: ${sizeKB} KB`,
@@ -551,7 +571,7 @@ export async function handleAnthropicSlashCommand(
           mime_type?: string;
           created_at?: string;
         };
-        fileAccountMap.set(file.id, account.index);
+        capFileAccountMap(fileAccountMap, file.id, account.index);
         const lines = [
           `▣ Anthropic Files [${label}]`,
           "",

package/src/env.ts

@@ -112,6 +112,7 @@ export function logTransformedSystemPrompt(body: string | undefined): void {
     ) {
       return;
     }
+    // eslint-disable-next-line no-console -- explicit debug logger gated by OPENCODE_ANTHROPIC_DEBUG_SYSTEM_PROMPT
     console.error(
       "[opencode-anthropic-auth][system-debug] transformed system:",
       JSON.stringify(parsed.system, null, 2),

package/src/headers/billing.ts

@@ -9,25 +9,43 @@ export function buildAnthropicBillingHeader(claudeCliVersion: string, messages:
   // the CLI version, then taking the first 3 hex chars of that combined string.
   let versionSuffix = "";
   if (Array.isArray(messages)) {
+    // Find first user message (CC uses first non-meta user turn)
     const firstUserMsg = messages.find(
-      (m) =>
-        m !== null &&
-        typeof m === "object" &&
-        (m as Record<string, unknown>).role === "user" &&
-        typeof (m as Record<string, unknown>).content === "string",
+      (m) => m !== null && typeof m === "object" && (m as Record<string, unknown>).role === "user",
     ) as Record<string, unknown> | undefined;
     if (firstUserMsg) {
-      const text = firstUserMsg.content as string;
-      const salt = "59cf53e54c78";
-      const picked = [4, 7, 20].map((i) => (i < text.length ? text[i] : "0")).join("");
-      const hash = createHash("sha256")
-        .update(salt + picked + claudeCliVersion)
-        .digest("hex");
-      versionSuffix = `.${hash.slice(0, 3)}`;
+      // Extract text from string or content-block array
+      let text = "";
+      const content = firstUserMsg.content;
+      if (typeof content === "string") {
+        text = content;
+      } else if (Array.isArray(content)) {
+        const textBlock = (content as Array<Record<string, unknown>>).find((b) => b.type === "text");
+        if (textBlock && typeof textBlock.text === "string") {
+          text = textBlock.text;
+        }
+      }
+      if (text) {
+        const salt = "59cf53e54c78";
+        const picked = [4, 7, 20].map((i) => (i < text.length ? text[i] : "0")).join("");
+        const hash = createHash("sha256")
+          .update(salt + picked + claudeCliVersion)
+          .digest("hex");
+        versionSuffix = `.${hash.slice(0, 3)}`;
+      }
     }
   }
 
-  const entrypoint = process.env.CLAUDE_CODE_ENTRYPOINT || "cli";
+  const entrypoint = process.env.CLAUDE_CODE_ENTRYPOINT ?? "cli";
+
+  // ---------------------------------------------------------------------------
+  // Billing header construction — mimics CC's mk_() function with two deliberate gaps:
+  // 1. cc_workload field: CC tracks this via AsyncLocalStorage for session-level
+  //    workload attribution. Not applicable to the plugin (no workload tracking).
+  //    See .omc/research/cch-source-analysis.md:124-131
+  // 2. cch value: CC uses placeholder "00000". Plugin computes a deterministic hash
+  //    from prompt content for consistent routing. See cch-source-analysis.md:28-39
+  // ---------------------------------------------------------------------------
 
   // CC's Bun binary computes a 5-char hex attestation hash via Attestation.zig
   // and overwrites the "00000" placeholder before sending. On Node.js (npm CC)